Github를 공격 인프라로 악용하는 Kimsuky의 최신 국내 공격 사례 분석
2025-06-19 • ENKI • Cyber threat report on Kimsuky, XenoRAT •
ENKI describes a Kimsuky-linked spearphishing operation that abused GitHub and Dropbox as malware delivery and collection infrastructure. The malware used hardcoded GitHub Personal Access Tokens with repo scope to access private repositories, download RTF-named payloads, and upload victim logs. The payloads decompressed into XenoRAT-based .NET malware, with C2 addresses including 158.247.230.196:443, 216.244.74.115:80, and 165.154.78.9:443. Decoy documents impersonated South Korean legal, financial, administrative, and traffic-related notices, while logs captured host details, running processes, boot-time data, webpage titles, and keystrokes. The report links the activity to Kimsuky through XenoRAT C2 analysis and repository evidence, showing how attacker-controlled GitHub infrastructure supported targeted South Korean spearphishing.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | p-e.kr | 2021-12-21 | 2026-06-01 |
| IPv4 | 158.247.230.196 | 2025-06-19 | 2026-04-17 |
| IPv4 | 158.247.202.109 | 2025-06-19 | 2026-04-17 |
| IPv4 | 141.164.41.17 | 2025-06-19 | 2025-08-18 |
| HASH | b99c1d9bf70be5172a8b36b098c67ee5 | 2025-06-19 | 2025-06-19 |
| HASH | 8c84d7f559cf0947fbf1981a0acb8a35 | 2025-06-19 | 2025-06-19 |
| HASH | 57015267d06b0d80721015ccd29a04cd | 2025-06-19 | 2025-06-19 |
| HASH | f692c1dd797f68c34744a377482c4ed4 | 2025-06-19 | 2025-06-19 |
| HASH | 74b1d5f857a4245aef8189ac4f409a99 | 2025-06-19 | 2025-06-19 |
| HASH | 976ad041832082f2d304df12b61457cb | 2025-06-19 | 2025-06-19 |
| HASH | 5076c579e378f976a57e862e5b6a7859 | 2025-06-19 | 2025-06-19 |
| HASH | af999c3c615b56691d75e8c877e185fb | 2025-06-19 | 2025-06-19 |
| HASH | 522a122f3cd4c488a51d81c846bfabbb | 2025-06-19 | 2025-06-19 |
| HASH | 6cbc007799b56682ac196e44d79e496d | 2025-06-19 | 2025-06-19 |
| HASH | 7df07ecb0b516df085a5ee95ed8e6560 | 2025-06-19 | 2025-06-19 |
| HASH | b13ffe7b8e351291250f1a3a855134aa | 2025-06-19 | 2025-06-19 |
| HASH | c2f88038d431bb190454fae02225e639 | 2025-06-19 | 2025-06-19 |
| HASH | f51a2ccb4b9b2bf163c81b525bfac08e | 2025-06-19 | 2025-06-19 |
| HASH | b36159563452d9a837a5e566ad2a1e44 | 2025-06-19 | 2025-06-19 |
| HASH | a9d80e7fe3f217ea4d33f8a4a0f3f73c | 2025-06-19 | 2025-06-19 |
| HASH | acd2d728ee4d1110521524c1eac6204e | 2025-06-19 | 2025-06-19 |
| HASH | 8c561a53085651d7f47b24129c2cd2d0 | 2025-06-19 | 2025-06-19 |
| HASH | d0a8cd7584547bdb2959f0d1008e6871 | 2025-06-19 | 2025-06-19 |
| HASH | b77e4e9f5897f00dcbd08b2ee9bde7e8 | 2025-06-19 | 2025-06-19 |
| HASH | a87659641e00d724de5662b14fe142e8 | 2025-06-19 | 2025-06-19 |
| HASH | 5e9a80d3d4f71ecd8bf8e579a5e2449c | 2025-06-19 | 2025-06-19 |
| HASH | 45ed6abfc12be606bdbcfe76bd17b2af | 2025-06-19 | 2025-06-19 |
| HASH | 5be0527f5c84208371761cee852f0d7c | 2025-06-19 | 2025-06-19 |
| HASH | baf164d2a5066cab5772dc6ae4807f43 | 2025-06-19 | 2025-06-19 |
| HASH | 0cb6e67f23ccebc3727f755be5140497 | 2025-06-19 | 2025-06-19 |
| HASH | a56edfef94008c77abfb4e151df934d9 | 2025-06-19 | 2025-06-19 |
| HASH | 10ce9409d8d1e72ea6439bec7cd7e4cd | 2025-06-19 | 2025-06-19 |
| HASH | 30d5f17d5e3f85be18220a7cab0b9fff | 2025-06-19 | 2025-06-19 |
| HASH | 157d1b1798f0f370a95125253e039c18 | 2025-06-19 | 2025-06-19 |
| HASH | 1dee4c60fffcc80eb4bbd523eedab2f4 | 2025-06-19 | 2025-06-19 |
| HASH | 1808bd4919c5943096a4a19784d6b8de | 2025-06-19 | 2025-06-19 |
| [email protected] | 2025-06-19 | 2025-06-19 | |
| URL | https://dl.dropboxusercontent.c… | 2025-06-19 | 2025-06-19 |
| URL | https://dl.dropboxusercontent.c… | 2025-06-19 | 2025-06-19 |
| URL | https://dl.dropboxusercontent.c… | 2025-06-19 | 2025-06-19 |
| URL | https://dl.dropboxusercontent.c… | 2025-06-19 | 2025-06-19 |
| URL | https://dl.dropboxusercontent.c… | 2025-06-19 | 2025-06-19 |
| URL | https://dl.dropboxusercontent.c… | 2025-06-19 | 2025-06-19 |
| URL | https://dl.dropboxusercontent.c… | 2025-06-19 | 2025-06-19 |
| URL | https://dl.dropboxusercontent.c… | 2025-06-19 | 2025-06-19 |
| URL | https://dl.dropboxusercontent.c… | 2025-06-19 | 2025-06-19 |
| IPv4 | 139.99.36.158 | 2025-06-19 | 2025-06-19 |
| IPv4 | 118.194.249.201 | 2025-06-19 | 2025-06-19 |
| IPv4 | 158.247.253.215 | 2025-06-19 | 2025-06-19 |
| IPv4 | 216.244.74.115 | 2025-06-19 | 2025-06-19 |
| IPv4 | 45.61.161.103 | 2025-06-19 | 2025-06-19 |
| IPv4 | 165.154.78.9 | 2025-06-19 | 2025-06-19 |
| HASH | 85f5075610661c9706571a33548d7585 | 2025-03-17 | 2025-06-19 |
| IPv4 | 101.36.114.190 | 2025-03-17 | 2025-06-19 |
| URL | https://dl.dropboxusercontent.c… | 2025-02-13 | 2025-06-19 |
| IPv4 | 80.71.157.55 | 2024-08-21 | 2025-06-19 |
Related Actors
Related Reports
2025-06-19 •
100% Match
Dissecting Kimsuky's Attacks on South Korea: In-Depth Analysis of GitHub-Based Malicious Infrastructure
ENKI
Shares tags: Kimsuky, XenoRAT • Shares 56 IOCs • Same author: ENKI • Published within a week
2025-08-18 •
71% Match
#Kimsuky
#Phishing
#LNK
#XenoRAT
#T1102.002
#T1082
#T1567.002
#T1071.001
#T1112
#T1083
#T1027
#T1204.002
#T1566.002
#T1059.005
#T1566.001
#T1053.005
#T1059.001
#T1036.005
#T1105
#T1087.001
#T1106
#T1134
#T1071.004
#T1568
#T1102.003
#T1569
#T1033
#T1569.002
Shares tags: Kimsuky, XenoRAT • Shares 2 IOCs
Shares tag: Kimsuky • Same author: ENKI • Published within a month
2025-08-29 •
60% Match
#Kimsuky
#T1082
#T1059.003
#T1140
#T1005
#T1041
#T1115
#T1204.002
#T1071
#T1057
#T1566.001
#T1547.001
#T1059.001
#T1132.001
#T1497.001
#T1622
#T1027.002
#T1573.001
#T1055.012
#T1095
#T1047
#T1134.001
#T1665
#T1055.002
#T1070.010
#T1055.003
#T1027.014
Shares tag: Kimsuky • Same author: ENKI
Shares tag: Kimsuky • Published within a month
Shares tag: Kimsuky • Published within a month